• Robert Speicher's avatar
    Merge branch 'devise_paranoid_mode' into 'master' · 0c0854c8
    Robert Speicher authored
    Enable Devise paranoid mode and ensure the returned message is the same
    every time. This will prevent user enumeration (low impact). 
    
    Prior to this change a user could type an email in the password reset
    field and if the email didn't exist it returned an error. If the email
    was valid it returned a message saying the forgot password link had been
    emailed. After this change the user will receive a message that if the
    email is in our database the reset link will be emailed. 
    
    I also changed the throttle mechanism so it still works the same but
    now returns the exact same message as above. Previously it would say
    'You've already sent a request. Wait a few minutes'. This also allows
    user enumeration, although it requires a double-check.
    
    Related to https://dev.gitlab.org/gitlab/gitlabhq/issues/2624
    
    See merge request !2044
    0c0854c8
Name
Last commit
Last update
..
benchmarks Loading commit data...
controllers Loading commit data...
factories Loading commit data...
features Loading commit data...
finders Loading commit data...
fixtures Loading commit data...
helpers Loading commit data...
javascripts Loading commit data...
lib Loading commit data...
mailers Loading commit data...
models Loading commit data...
requests Loading commit data...
routing Loading commit data...
services Loading commit data...
support Loading commit data...
tasks/gitlab Loading commit data...
views/help Loading commit data...
workers Loading commit data...
factories.rb Loading commit data...
factories_spec.rb Loading commit data...
rails_helper.rb Loading commit data...
spec_helper.rb Loading commit data...
teaspoon_env.rb Loading commit data...